By now, most of us are aware that smartphones are powerful computers and should be treated as such. It’s not a coincidence that most of the security tips given to smartphone users – such as refraining from opening suspicious links or downloading untrusted apps – also apply to PCs.
But unlike PCs, smartphones contain a plethora of radios – typically cellular, Wi-Fi, Bluetooth and Near Field Communication (NFC) – that enable wireless communication in a variety of circumstances, and these radios are designed to remain turned on as the user moves through the world. It’s important for all smartphone users to understand the security implications of these wireless interfaces.
The headline here is that security gaps with these interfaces, whether baked into the protocol or found in a specific implementation, can allow attackers to force connections to untrusted equipment, giving them opportunities to extract data and even take control of the targeted device.
It’s been reported that sophisticated nation-state actors like Russia and China are highly skilled in using such RF-based techniques, allegedly targeting travelers when passing through airports and other chokepoints. But many of the tools for RF hacking are available to garden-variety hackers as well.
The many ways attackers can engage in RF hacking
Let’s start by looking at cellular communications. A key risk here is the IMSI catcher, also known as a cell-site simulator, fake cell tower, rogue base station, StingRay or dirtbox. An IMSI catcher is equipment designed to mimic a real cell tower so that a targeted smartphone will connect to it instead of the real cell network. Various techniques may be employed to do it, such as masquerading as a neighboring cell tower or jamming the competing 5G/4G/3G frequencies with white noise.
After capturing the targeted smartphone’s IMSI (the ID number linked to its SIM card), the IMSI catcher situates itself between the phone and its cellular network. From there, the IMSI catcher can be used to track the user’s location, extract certain types of data from the phone, and in some cases even deliver spyware to the device.
Unfortunately, there’s no surefire way for the average smartphone user to notice/know that they’re connected to a fake cell tower, though there may be some clues: perhaps a noticeably slower connection or a change in band in the phone’s status bar (from LTE to 2G, for example).
Thankfully, 5G in standalone mode promises to make IMSI catchers obsolete, since the Subscription Permanent Identifier (SUPI) – 5G’s IMSI equivalent – is never disclosed in the handshake between smartphone and cell tower. However, these deployments still represent a small share of all cellular networks, meaning that IMSI catchers will still be effective in a majority of cases for the foreseeable future.
On the Wi-Fi front, a key risk to be aware of is a Karma attack delivered by a rogue access point. A rogue access point is often just a Wi-Fi penetration testing device – the Wi-Fi Pineapple is one popular model – that, instead of being used for auditing Wi-Fi networks, is set up to lure unsuspecting smartphones into connecting.
In a Karma attack, the rogue AP exploits a basic feature of smartphones (and all Wi-Fi-enabled devices): whenever its Wi-Fi is turned on but not connected to a network, a smartphone broadcasts a preferred network list (PNL), which contains the SSIDs (Wi-Fi network names) of access points to which the device previously connected and is willing to automatically reconnect to without user intervention.
After receiving this list, the rogue AP assigns itself an SSID from the PNL, tricking the smartphone into thinking that it’s connected to a familiar Wi-Fi network. Once the targeted smartphone connects, an attacker can eavesdrop on network traffic to collect sensitive information (like passwords or credit card details) and even push out malware to the device or redirect the victim to a malicious site.
Other than by constantly checking the Wi-Fi icon in the status bar, this type of attack is difficult to reliably notice.
Bluetooth exploits are a slightly different animal, as instead of relying on limitations inherent in the protocol’s standard operating procedures, attackers leverage specific vulnerabilities within the protocol or its implementation to carry out an attack. Bluetooth is a famously long and complex standard, meaning that there are more opportunities for bugs to appear in the actual code of the protocol as well as more opportunities for developers to err in their implementations. And while most Bluetooth connections have a range of about 30 feet, hackers have been known to use directional, high-gain antennas to communicate over much greater distances.
BlueBorne is a powerful example of what a Bluetooth-based attack can do. Disclosed in 2017 and largely patched since then, the BlueBorne vulnerabilities are an attack vector that allows a malicious actor to take complete control over a target device, without needing to pair with it or even needing the device to be in discoverable mode. Such control is possible because Bluetooth has elevated privileges on virtually all operating systems, with components from the hardware level to the application level.
Finally, there’s NFC, which is typically used to accommodate payment between a smartphone and a retailer’s terminal. Though less of a practical avenue for hackers due to its tiny range (about 1.5 inches) and limited use cases, NFC attacks are possible.
One avenue for threat actors is the use of malicious NFC tags placed where phones are likely to bump up against them, perhaps in an entry for a crowded transit station. With Android, a malicious NFC tag can, for example, automatically open a malicious site in the user’s browser, provided that the device is unlocked. With iOS, weaponizing a malicious tag requires some social engineering, as a notification informs the user that the tag would like to open a given app; in a transit station, the tag could request that the user open the latest train schedule in their browser, for instance.
Possible risk mitigation actions
Even though radio-based attacks against smartphones are often invisible to the user and largely outside of the scope of most mobile security tools, there are a few actions you can take to keep your smartphone and your data safe. Perhaps the most powerful is simply turning off radios (particularly Wi-Fi and Bluetooth) when not in use or when in public.
To mitigate the risks of IMSI catchers, turn off 2G support if your smartphone allows it. For Wi-Fi, turn off auto-join for hotspots. For Bluetooth, be sure to install security updates in a timely manner to make sure that any known Bluetooth bugs have been patched. And if you frequently travel through chokepoints or known hostile environments, you may want to consider using a top-of-the-line Faraday case to shield out RF attacks (Faraday bags are generally inadequate against strong signals).
A smartphone’s radios are a key ingredient as to why these devices are so indispensable. With just a little bit of awareness and some proactive defense against their abuse, we can avoid being easy targets for the bad guys.